hxxp://https-3A__www[.]linkedin[.]com_company_department-2Dof-2Dregulatory-2Dagencies_&d=DwMFaQ&c=sdnEM9SRGFuMt5z5w3AhsPNahmNicq64TgF1JwNR0cs&r=1nvwWHLVzR4ymC9MUV3R-Op1DVcr5bMN5y_LRmrR0Oo&m=Taaz3RUznxFmasElauViSHkUotI4_ugPrMBufr9NHMdTK7_rCJr-E8RLV8H4G5KS&s=1_hUOMibPRY8ZIv4VI652Hg0ge0wiGX0FUrQt5IyVaQ&e=

Analysis

max time kernel
19s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://https-3A__www.linkedin.com_company_department-2Dof-2Dregulatory-2Dagencies_&d=DwMFaQ&c=sdnEM9SRGFuMt5z5w3AhsPNahmNicq64TgF1JwNR0cs&r=1nvwWHLVzR4ymC9MUV3R-Op1DVcr5bMN5y_LRmrR0Oo&m=Taaz3RUznxFmasElauViSHkUotI4_ugPrMBufr9NHMdTK7_rCJr-E8RLV8H4G5KS&s=1_hUOMibPRY8ZIv4VI652Hg0ge0wiGX0FUrQt5IyVaQ&e=

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3528	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 1532 wrote to memory of 3528	1532	firefox.exe	83
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 436	3528	firefox.exe	84
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85
PID 3528 wrote to memory of 3940	3528	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://https-3A__www.linkedin.com_company_department-2Dof-2Dregulatory-2Dagencies_&d=DwMFaQ&c=sdnEM9SRGFuMt5z5w3AhsPNahmNicq64TgF1JwNR0cs&r=1nvwWHLVzR4ymC9MUV3R-Op1DVcr5bMN5y_LRmrR0Oo&m=Taaz3RUznxFmasElauViSHkUotI4_ugPrMBufr9NHMdTK7_rCJr-E8RLV8H4G5KS&s=1_hUOMibPRY8ZIv4VI652Hg0ge0wiGX0FUrQt5IyVaQ&e="
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://https-3A__www.linkedin.com_company_department-2Dof-2Dregulatory-2Dagencies_&d=DwMFaQ&c=sdnEM9SRGFuMt5z5w3AhsPNahmNicq64TgF1JwNR0cs&r=1nvwWHLVzR4ymC9MUV3R-Op1DVcr5bMN5y_LRmrR0Oo&m=Taaz3RUznxFmasElauViSHkUotI4_ugPrMBufr9NHMdTK7_rCJr-E8RLV8H4G5KS&s=1_hUOMibPRY8ZIv4VI652Hg0ge0wiGX0FUrQt5IyVaQ&e=
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.0.1321391807\1630493662" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a968c6b-48ca-4232-8680-74aa45523669} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1856 27c210f5458 gpu
    3⤵
    PID:436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.1.1224774963\950050094" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27635e65-4903-460a-8704-bda552a33555} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2452 27c0df8ba58 socket
    3⤵
    PID:3940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.2.485890453\2013503376" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2992 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35d47b3b-f831-43ee-a123-5859ac509fa4} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2960 27c25137558 tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.3.357653616\1098852252" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df3521bc-1ef4-4f93-badb-23ebf19ffe0a} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3656 27c26aae358 tab
    3⤵
    PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.4.727252689\1184642100" -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5172 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c360342d-cf3e-43c2-ab90-be429bcb6748} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5200 27c28933358 tab
    3⤵
    PID:4308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.5.632271268\1142774872" -childID 4 -isForBrowser -prefsHandle 5316 -prefMapHandle 5324 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b77f560b-1a05-42af-9ad8-a0f3276b0efe} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5404 27c28932158 tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.6.35982375\1421716679" -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1248 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9908b30-bf80-4b7e-ba19-73dd074a9644} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5472 27c28932758 tab
    3⤵
    PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
9ccb557eeda41d0e6da3d8ddb9e0a211

SHA1
8d97cc5ed36f63f7216583116b3132d32f0c8546

SHA256
3eef9bbcb67b143f082356b0a6174a6c76e8c0375516d2a8a79159afffffbfb7

SHA512
fc2a37ed460d522e6db19cef22e6f14b9c3ccce7ba00b7a24fa2c24eb642c2f4bde16d232a48a52f762b8be0a4ac49eb618c43275937abfc6d915591d1c75a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs.js

Filesize
6KB

MD5
6f35324ec4b8dc080ef089bcceb76eca

SHA1
182f9a714c330fbec6fb4708f80416b47709ee66

SHA256
d00773e1c1e351e55a8203159d677a181dc6ecd955813960b3c931d449d1efc6

SHA512
10fb9c1f4686cdf20f9a85d621312b7c15e542c8b80feeef0ec5e1a0c39bceea6654d7474664df2985b2f36ad4c7f8065db3eafe2b939298ed4b751390c2dcfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ee75d45f5665720f91f1d48c51677e4b

SHA1
46176bcd2ca35e75e04dd142b3fa8fed92a12a03

SHA256
034ac5c4d8e2d518274f1492b909a25d7f60e655a8ebc2ab0732238b84291346

SHA512
cace02f91a8bdcee1c571e793a02ab6bc268583181fd441283208255c7e890ef8da0ea320d97a3165054589d77ac0212ca0574e7d2f14a363208e837428e07b9

Download Submit